Quick Take: More clarity—or more confusion—on what the European Central Bank, acting in its Single Supervisory Mechanism capacity (the ECB-SSM), expects?
The ECB-SSM’s July 2018 Report1 summarizes the supervisory lessons learned and best practices identified in the first three recovery planning cycles since the creation of the ECB-SSM for credit institutions, i.e. banks. This will be of particular interest for those Banking Union Supervised Institutions (BUSIs) classified as significant credit institutions (SCIs). Importantly, as assessed in this Client Alert, the Report also alludes to what has been known as the most significant and overdue next step for the ECB-SSM in relation to recovery planning—the “operationalization” of Recovery Plans in making them more concise, usable and operational.
Recovery planning for financial services can be defined as an ongoing exercise to ensure that the institution has appropriate contingencies in place to respond to a significant stress while remaining a going concern. Recovery options are defined as “…the measures that a bank can take in order to restore its financial position in a crisis situation.”
The regulatory requirements on recovery planning for the EU’s banking sector are set out in the Banking Recovery and Resolution Directive (BRRD)2 and are complemented by the relevant technical standards in the form of the EU’s Commission Delegated Regulation3 and the European Banking Authority (EBA) Guidelines.4 The BRRD applies EU-wide but the ECB-SSM, together with the Single Resolution Board, act as the institutional “pillars” in the Banking Union and are in charge of how BRRD is applied to SCIs in recovery but also resolution.
The ECB-SSM Report provides more color on the practical supervisory application of these pieces of legislation and highlights “best practices” applied by those that the ECB-SSM considers as “best in class” SCIs in terms of their Recovery Plans. As the formal documents constituting a “Recovery Plan” are created by BUSIs and reviewed by the supervisors, additional publicly available guidance for BUSIs as to the standard expected from these documents is certainly welcome. Whilst the Report, in keeping with other ECB-SSM “Guides” that really read more like rules, the Report sets out supervisory expectations by stating:
“The report does not aim to impose additional requirements on banks. However, it makes reference to specific requirements set by the Bank Recovery and Resolution Directive (BRRD), the relevant Commission Delegated Regulation and European Banking Authority (EBA) guidelines. The ECB expects banks to comply with all these requirements in line with the law.”
So who might be interested? Besides the impact on SCIs as the direct addressees of the scope of the Report, it will likely be of interest to non-SCI BUSIs. This is especially likely to be the case, as what happens in respect of supervisory expectations set in respect of SCIs are often subsequently rolled-out and mirrored in relation to those other BUSIs that are not SCIs. In addition to the rolling-out, the Report may also be of interest to non-Banking Union credit institutions or third-country (i.e. non-EU) equivalent types of firms who might choose to apply similar measures.
So how will this affect SCIs? SCIs are directly supervised by the ECB-SSM. This shift will most likely mean a significantly higher level of scrutiny over the feasibility of execution of the recovery options, both in terms of a conceptual challenge of the assumptions put forward by the banks in their Recovery Plans (for which the best practices identified by the Report may be used as a guide), and, in a more unprecedented way, which is where the operationalization part comes in, whether the internal governance and operational capacity would allow the option to be exercised. The Report suggests using non-mandatory measures to improve operationalization such as using a “Playbook” or steps plan as well as performing dry-run exercises. Some of this design and embedding will require cross-enterprise input plus support from external legal counsel.
So how have SCIs done? Supervisory requirements and best practices
In its Report, the ECB-SSM identified a number of shortcomings in the SCI’s compliance with recovery planning requirements set out in legislation:
Presentation of recovery options: The relevant firms did not discuss the recovery options exhaustively and provided incomplete impact and feasibility assessments. Certain firms have not given significant consideration to the breadth of recovery options presented in plans and the nature of the firms’ business, size and interconnectedness to the financial system. SCIs were encouraged to consider a broader range of recovery options in their Recovery Plans, and the Report provides examples of which elements to include when presenting recovery options as well as elements that SCIs could consider in a feasibility assessment of the options (see below). This also extends to reviewing and considering feasibility of as well as the recovery options themselves in light of cyber-resilience.5
Misstatement of the recovery capacity: Another common flaw was an overstatement of the institutions’ own recovery capacity, which is defined as the extent to which a firm could restore its financial position following a significant deterioration of its financial situation.
Inadequate indicator frameworks: The ECB-SSM also identified a lack of robustness in the indicator frameworks, which can include, among others, capital, liquidity, operational or macroeconomic indicators as well as inadequate consideration of the supervisory dialogue flowing from the ECB-SSM administered Supervisory Review and Evaluation Process (SREP)6 or the extent of asset encumbrance generally as well as impact of non-performing exposures and loans (NPLs) specifically. SCIs are also encouraged to start including the minimum requirement for own funds and eligible liabilities (MREL) indicator in their Recovery Plans and at the latest when MREL becomes binding and applicable to them.
1. Presentation of recovery options
In terms of presentation of recovery options, the ECB-SSM pointed out the need by institutions to improve their compliance with Article 19 of the Commission Delegated Regulation, which requires an assessment of the feasibility of a timely and effective execution of the recovery option and the impact that the execution of the option would have on the firm and the financial system.
The feasibility assessment could be based on the SCI’s or its peers’ past experience, market intelligence and analysis of potential legal, operational, financial and other impediments to the exercise of the option. Analytical elements of the feasibility assessment include the potential market situation and dependence on third parties. The stated time required to realize the option should be justified, for example, by way of best practice, by breaking it down into specific actions and governance approvals required.
The impact assessment should be quantified and underpinned by adequate valuations, reflecting the marketability of assets under different conditions. As a good practice, the ECB-SSM identified providing valuations based on similar transactions conducted by the firm in the past or value achieved by peers in similar transactions. As an added value for the plan, the bank may also include a summary of the rationale for the selection of the recovery options in the plan and the reasons for rejection of other options. The reasoning may include capital and liquidity considerations.
2. Recovery capacity
In terms of overall recovery capacity (the ORC), the ECB-SSM has taken the view that banks overstated the common equity tier 1 (CET1) increase and improvement in the liquidity coverage ratio caused by the implementation of recovery options. A realistic assessment of the ORC should take into account the following factors:
Mutual exclusivity of the options, greater considerations that some recover options are fully or partially mutually exclusive and may need to be executed successively;
Interdependencies between various recovery options, for example, cancelling dividends on CET1 or AT1 instruments may have a knock-on effect on subsequent CET1, AT1 or T2 issuances;
Capacity under idiosyncratic versus system-wide events, which may cause the recovery capacity to differ, depending on the scenario;
Reputational effects, which may occur if multiple recovery options are executed at the same time, for example, if multiple subsidiaries are being disposed of;
Operational capability, in particular when multiple options are executed in parallel, the SCI may not have the operational human and other resources to execute the various recovery options;
Consequences for the business model, and the impact on the options on the long-term viability of the business model, especially following the execution of a combination of recovery options;
Proper testing of the set of options, should take into account all of the available options allowing them to recover in a range of scenarios based on events and factors most relevant to the SCI;
Optimizing for capital and liquidity crisis situations, such as distinguishing between the recovery capacity in solvency and liquidity-induced crises.
Another best practice identified was to list the potential recovery options under each stress scenario, and then distinguish between those that would be exercised in a recovery and those that would be triggered in a contingency situation. In a recovery scenario, the SCI would usually select the easy to achieve options, which are not disruptive to the business model and would not alert the market.
3. Recovery indicator frameworks
In terms of the recovery indicators used, the ECB-SSM observed that a number of SCIs did not use all of the mandatory indicators set out in the EBA Guidelines. The ECB-SSM also noted that the selected indicators did not always accurately match the bank’s risk profile. For example, almost 44 percent of a sample of 22 SCIs, which had incurred high operational losses in the past, did not include operational risk indicators in their recovery frameworks. The ECB-SSM’s supervisory expectations are clear that this gap must be rectified. Moreover, SCIs are also expected to calibrate the indicator thresholds appropriately, allowing the thresholds to be breached sufficiently early to provide the SCI with ample time to execute the recovery options before regulatory capital and liquidity requirements have been breached. The indicator framework should also be integrated in the business-as-usual risk management and aligned with the existing capital plan and liquidity contingency plan thresholds.
As a result, SCIs are encouraged to be clearer in distinguishing between those measures that are part of (X) liquidity contingency plans and the business as usual environment and (Y) of the Recovery Plan. Failure to categorize and distinguish which measures fit where, could, even if there are overlaps and a potential to progress from business-as-usual contingency measures to Recovery Planning, lead to double-counting and misrepresent the viability of the SCI, its road to recovery and the ORC.
Operationalization of Recovery Plans – Playbooks and Dry Runs
The Report stated that in the coming supervisory cycles the ECB-SSM will focus on the operationalization aspect of the plans, assessing the evidence that the recovery plan and the individual recovery options could be applied in times of stress. A chart7 showing the size of Recovery Plans by number of pages demonstrates the willingness to shift away from treating recovery planning as a compliance exercise to more meaningful documents, which can be incorporated into the SCI’s risk management. The issue concerning the current size of Recovery Plans was even identified in the Report as an impediment to the operationalization of recovery planning – i.e. it is difficult to prevent “too big to fail” if the SCI’s plan to do so is “too big to read”.
The operationalization would include so-called “Playbooks”, where the operational actions which would be taken by the senior management of the SCI are detailed as a steps plan of business process workflows, often in a more visual format. The Report describes these as a “concise implementation guide”. While there are no clear rules to how long and detailed a Playbook ought to be it will have to be detailed enough and clear to follow to act as the abridged version of a much longer Recovery Plan.
The Report also sets out examples of best practice content of Playbooks. Specifically it considers “good” Playbooks those that clearly set out:
The crisis management governance, including roles and responsibilities;
A swift and effective decision-making chains including pro forma documents as well as decision-making standing agenda points for recurring items as well as those that need to be taken in the first 48 hours of the Recovery Plan being triggered;
An overall escalation procedures;
A tabular overview of recovery options, which include figures or visual representations of costs, timelines to implementation, degree of impact on the SCI and the financial system, based on a red, amber and green measure as well as who is responsible for the execution of the relevant recovery option; and
A contact list with external and internal stakeholders, a communications plan as well as a list of impacted and relevant policies and procedures.
The creation and maintenance of a Playbook likely require dedicated support from internal and external stakeholders to make sure that both it and the Recovery Plan are maintained in a continuous fashion and are sufficiently accessible and clear for stakeholders and supervisors. It is also to be expected that the ECB-SSM will still require that senior management and key function holders are familiar with the contents of both the Playbook and the Recovery Plan. There will be no “free passes” awarded for reading just the “abridged” version of what in many cases will be the considerably longer opus.
Operationalization does not just end with Playbooks. The Report suggests, in keeping with existing EU rules and good practice on business continuity management, that SCIs undertake “dry runs” where parts of the Recovery Plan are tested. A dry run is a “live” simulation of the Recovery Plan being put through its paces to demonstrate whether the selected part of the Recovery Plan could be implemented in a crisis situation, to train staff and to identify areas for improvement.
The areas that can be tested include the decision-making procedures, the availability of information, operational aspects (for example the viability of the decision-making timelines) and communication strategies. Dry runs are particularly applicable for scenarios such as IT failures or cyberattacks. The ECB’s recommendations for conducting dry runs include ensuring the involvement of the bank’s management body, clearly defining the scope of the exercise, adequate preparation, including setting out detailed assumptions, informing everyone involved that a dry run will take place, as well as setting realistic timelines, corresponding to a stress situation.
These exercises will not be mandatory, and other approaches will be permitted for SCIs to demonstrate that their Recovery Plans could be used in stress but it is conceivable that the ECB-SSM, especially for those SCIs that are deemed to be “complex” may request an explanation as to why a SCI has not conducted a dry run.
Other best practices include the presence of independent observers, such as the internal audit function, a timely follow up, recurrent exercise of the dry runs (e.g. on an annual basis) and communication of the outcome to the supervisor.
Next steps for credit institutions
Although the ECB-SSM Report is aimed at improving compliance with existing requirements through more robust analytics, the move towards operationalization of the Recovery Plans may require a closer look at the role of project governance of Recovery Plan management in non-stress and stress/trigger situations as well as how these requirements interface with other regulatory initiatives, as well as with the business-as-usual risk management processes.
The Report is quite clear that the dry runs are properly prepared, periodically tested with sufficient prior communication and a realistic and timely defined scope and objective coupled with “clear ownership” by the management body of the SCI in respect of the Recovery Plans but also the dry runs are seen as a best practice principle. As a result, one would expect that this ownership needs to be evidenced by a named person but also that said person is supported and trained by suitably qualified members of the SCI’s respective governance, risk and compliance functions as well as external counsel where required.
The supervisory expectations relating to different regulatory exercises have largely been developed in silos, however, for SCIs, the required recovery planning enhancements may be a good opportunity to integrate the analytics applied across the different exercises. A holistic approach to recovery planning may require integrating risk management and stress testing, as well as linking it with the approach to capital and liquidity management, including capital and liquidity contingency plans, as well as crisis management arrangements.
The integration within the risk management framework may include taking action to embed recovery planning into the bank’s existing risk appetite and risk tolerance frameworks, as well as into the existing data aggregation and reporting structures, and incorporate recovery planning information and indicators into management information and processes.
The analysis feeding into the Recovery Plan document will need to be comprehensive, as highlighted in the analysis of the best practices on the Presentation of recovery options and Misstatement of the recovery capacity above. The feasibility of execution of the identified recovery options needs to be tested and the impact on the firm and the financial system adequately assessed and valued.
There is one more exercise that may join the suite of regulatory stress scenario exercises required by the regulators. In mid-April 2018, the press reported that certain Global Systemically Important Financial Institutions prepare solvent wind-down plans, an exercise which a number of such firms may be familiar following a number of iterations of solvent wind down plans required by the US and the UK regulators. The exercise has been used by the UK and US regulators to understand the cost of winding down a business, in particular the trading book, providing a view on the complexity and maturity of the trading book, as well as capital and liquidity implications. The ECB-SSM has not yet publicly stated whether other banks are or will be in scope of this exercise beyond those that were initially addressed. Rather frustratingly for other SCIs and other BUSIs, there is a lack of public information available, as of yet, on how the ECB-SSM’s approach compares to those of the US and UK peers even if it has become apparent that a certain amount of data items may have been duplicated.
Next steps for supervisory and resolution authorities
Just as the Report flags that recovery planning is a continuous effort for SCIs, the European Court of Auditors in their report on “The operational efficiency of the ECB’s crisis management for banks”8 (the Audit Report) suggested a number of ways in which supervisors may (improve the) use the Recovery Plan assessments in day-to-day supervision. This statement follows previous criticism that Recovery Plans are theoretical, redundant documents, whereby no evidence or assurance that a bank could realize the recovery options presented in the plan is provided.
The Audit Report provides examples of actions that can be taken by supervisors in order to improve assurance over the viability of the Recovery Plan, including on-site inspections to verify the accuracy of the data and the assumptions included in the Recovery Plan, and monitoring whether banks have taken action provided in the Recovery Plan, but without labelling it as such. In terms of crisis identification, it was recommended that the Joint Supervisory Teams have access to an automatic monitoring of the institution-specific triggers.
The coordination between the supervisory and resolution planning authorities within the Banking Union has also been identified as an area pending completion. An improved cooperation between the authorities representing the two Banking Union Pillars, including information sharing in non-crisis and crisis situations, would not only ensure that the information requests and assumptions are aligned, but also that there is an integrated approach to crisis management across the authorities.
Although the cross-institutional Banking Union crisis management architecture needs to be further operationalized and improved, as indicated by the Audit Report, the ECB-SSM led iterative recovery planning exercise is taking shape. Consequently for stakeholders, this merits a long-term strategic approach on the integration with business-as-usual activities, other regulatory exercises and business continuity or crisis management activities.
The ECB-SSM Report should therefore provide a helpful starting point in ensuring that the regulatory requirements are met on an on-going basis in a way that aligns with the supervisory expectations and evidencing that an implementation of the plan would be possible in a stress situation. We would expect that the ECB-SSM treat its Report as the first in a series and use it as a tool that is complementary to firm-specific supervisory engagement to improve best practice amongst firms it supervises.
1. See: https://www.bankingsupervision.europa.eu/ecb/pub/pdf/ssm.reportrecoveryplans201807.en.pdf?fa1ecc99e42320376eafda8cba80327e
3. See: Commission Delegated Regulation (EU) 2016/1075 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R1075&from=EN
4. See: https://www.eba.europa.eu/regulation-and-policy/recovery-and-resolution
5. Please see our dedicated coverage on the ECB’s new rules on cyber resilience published May 2018 available here
6. Ideally globally active SCIs will also want to factor in results from non-ECB-SSM SREP and similar assessments as well.
7. Chart 8, page 32 of the Report.